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I SAT agents installed on 
all systems 




Proxy server 

Typical corporate DMZ 
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The sensor 
block is 
pushed by the 
server, to the 
agent 




The agent writes this sensor 
block to disk. This block 
contains all of the sensor code 
and config data for each sensor 



The agent stops all 
currently running 
threads 



The agent 
executes an 
internal re-start 



The Agent reads in 
the new sensor 
block 



In the parent, move on to the next 
Sensor ~~ 



Agent forks of a 
child, passing the 
sensor and it's 
config data to 
that child 





Execute the sensor 



Yes 



Signature 
Matches 



Encrypt and write 
the data to disk 



FIGURE 6 
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How Eval's are run in the Server 
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' Agents return the 
data on disk, to the 
server, when 
requested 




The Server opens 
the data directory 




The server checks 
to see which 
sensor created the 
current data file 



The server 
executes the 
appropriate eval, 
passing it the 
current data file 



Erase the current 
data file from disk 



1*H 




Yes 



Move the data file 
to/opt/lsatd/debug 



FIGURE 7 
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Server_startup: The first time this is called, $bank is equal 
to ", which causes server_startup to read in the list of 
banks, and fork off a child for each bank found. 



T 



— 8^ 



Server_startup, once it has a bank, reads in all the 
names of the configuration Files found in that bank. 



Server_startup parses each config file name, 
gathering the IP from the name. It then builds a 
list of IP's to call, and returns this to the caller, 
along with the name 
of the bank (the first parameter) 



go*** 



The main server code tarts a loop based 
on the list of IP addresses 



For each IP address found in the list, the main server code first checks to 
see if this is a new config file by looking for the word 4 ISAT_NEW'' 
in the IP name. 




The main server code reads in the config 
file, building a config package for the 
agent (see Confg Agent Flow Chart) 



The main server code starts a loop 
based on the list of IP's 



END 



8^ 



The main server code formulates 
an https get request to 
https://IP/?GOT_DATA, where 
IP is replaced with the actual IP 
address if the agent. 



The return response is checked. If it 
contains 'NOCONFIG', the server 
calls the agent_configuration API 
(See Config Agent Flow Chart) 
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^pt^^P0iM^ cKangd monitoring 



Firewalls 



Firewall historical policy reports 



Show who in tailed policies and when 



&PW; wims 



ies and when 



Monitor logins to Provider-1 and managers 



sies 



ire wall policy difference reporting 
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Firewall Pseudo rules tracking (policy properties) 



for auditing 



Statistical analysis of firewall c] 



Baseline monitor 



)ffia%1ftgjpystem file integrity 



Yes 
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Yes 
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Yes 



fes 



Yes 



Data integrity 



.ouxtforing 



monitor 



Network routes, interfaces and arps 



Password Change history reports 



Yes 

Yes" 
_ 



Baseline reporting and alerting 



Application monitoring 



Yes 
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Real-time 



StoneBeat monitor 




Alerting 



Encrypted/ Secure con: 



andsf 



Web server monitor 
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FIGURE 11 Integration with Tivoli/Lotus Notes 
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